erwin_mi
join:2004-07-27
Belgium
|  Net-Integration hacked just one moment ago!
Several members of net-integration forums ( »forums.net-integration.net ) received multiple identical e-mails with a link to a trojan. Just a moment after I reported this issue, the forum got hacked. Source code of the received e-mail (with the link disabled):
X-Message-Status: n
X-SID-PRA: eagle1@peace.emfc.com
X-SID-Result: TempError
X-Message-Info: P6ocH0G7nHBlfQzc98R2MJBOUZKh6KE6Xa0aHYSFpzc=
Received: from peace.emfc.com ([67.43.1.57]) by mc4-f37.hotmail.com with Microsoft SMTPSVC
*(6.0.3790.211);
Tue, 16 Aug 2005 07:05:36 -0700
Received: from eagle1 by peace.emfc.com with local (Exim 4.44)
id 1E5168-0007dh-BW; Tue, 16 Aug 2005 09:03:20 -0400
To: webmaster@net-integration.net
Subject: Protect Your PC !!! ( From Net-Integration Forums )
From: "Net-Integration Forums" <webmaster@net-integration.net>
X-Priority: 3
X-Mailer: IPB PHP Mailer
Message-Id: <E1E5168-0007dh-BW@peace.emfc.com>
Sender: <eagle1@peace.emfc.com>
Date: Tue, 16 Aug 2005 09:03:20 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - peace.emfc.com
X-AntiAbuse: Original Domain - hotmail.com
X-AntiAbuse: Originator/Caller UID/GID - [32004 32009] / [47 12]
X-AntiAbuse: Sender Address Domain - peace.emfc.com
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php admin.php
X-Source-Dir: net-integration.net:/public_html/forums
Return-Path: eagle1@peace.emfc.com
X-OriginalArrivalTime: 16 Aug 2005 14:05:37.0548 (UTC) FILETIME=[93D72CC0:01C5A26B]
Protect Your PC !!!
Please download antivirus protection
antivirusprotection.pisem.net/avp.exe
(*) WARNING 1 long line(s) split |
|
Fredra
Undesirable Alien
join:2000-04-08
Nepean, ON
 ·Rogers Hi-Speed
1 edit | That is interesting....
I got three (3) emails...but didn't open any of them, as I thought...why would "net-integration" be sending me anything....so I deleted them all.
Now this is strange indeed.
Thanks for letting us know.
Cheers 
--
The Endless |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
 ·Callcentric
·RoadRunner Cable
·AT&T CallVantage
1 edit |  reply to erwin_mi
Net-Integration page -11:20 AM EDT
The link to the forum ( »forums.net-integration.net/ ) yielded this at 11:20 AM EDT - offline for security purposes
--
Every
Good
Electrical
Engineer
Zeroes
Each
Register |
|
erwin_mi
join:2004-07-27
Belgium
| Didn't you see the address field? The forum is redirected to »peace.emfc.com . I hope this redirection was done by a real admin to avoid more damage... |
|
sybille
Not only "just visiting"
Premium
join:2004-04-06
France
4 edits | reply to erwin_mi
Re: Net-Integration hacked just one moment ago!
Confirmation from me.
I received the same mail. Since I'm running Linux, I decided to download the avp.exe file in order to scan it at jotti's. (I wouldn't have done this from within Windows, of course.) Several scanners there identified the file as a trojan downloader (with heuristics, it seemed, so this may be a new variant).
So, I went to net-integration and posted. While I was pasting in the scanner results, another thread was started. I went to edit my thread in order to include a link to the new thread, and at that point got the error message from peace.emfc.com.
In any case, no one needs to rescan the file at jotti's, etc. I will submit have submitted it to the list of AV companies in the FAQ, as well. |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
4 edits | reply to erwin_mi
Re: Net-Integration page -11:20 AM EDT
Yes, I saw it. My post is for information only and to document the result of going to the site at the time in case the result changes.
Per whois, efmc.com domain is owned by net-integration.
ht tp://efmc.com goes to a sales recruiting page for an undisclosed antispyware product. The fax number in the ad is very close to the number listed in WHOIS registration. With these things in mind, I'd surmise that it's a legitimate redirection.
Pisem.net traces to Russia, as far as Moscow - also appears to have an open mail relay.
--
Every
Good
Electrical
Engineer
Zeroes
Each
Register |
|
Sysadmin
NoBama
Premium,MVM
join:2000-07-07
Sacramento, CA | reply to erwin_mi
Re: Net-Integration hacked just one moment ago!
I received two emails from them as well. They looked suspicious so I deleted them. |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England | reply to erwin_mi
I had three of these emails. Needless to say, I didn't follow the link. |
|
boblandy
Premium
join:2002-05-06
| reply to erwin_mi
i received four such emails all sent within the span of 30 minutes, saying...
"Protect Your PC !!!
Please download antivirus protection" (with link)
i definitely did not open the link
--
look out kid they keep it all hid |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| reply to erwin_mi
I got 3 of those emails. Yahoo email shot them straight into my Bulk folder. I might have been tempted to open them, excepting for reading your advisory, so Thank You. 
--
Cheers,
Chuck
MS-MVP [Windows - Networking]
PChuck's Network |
|
MagnusM
Premium
join:2001-07-07
| reply to erwin_mi
I did open the file  (*)
When run, this trojan copies itself to C:\Windows\csrss.exe and also drops the file C:\Windows\dll.dll. The actual trojan is a password stealer that will attempt to grab your ICQ, email account, dialup and other passwords. Any found passwords are mailed to two russian email addresses.
If an Internet connection is available, the trojan will attempt to download and execute further files from a Hungarian web site. Unfortunately these files are no longer available and so could not be analyzed.
(*) On a lab machine. Do not attempt at home.
--
Mischel Internet Security
http://www.misec.net |
|
suzi
Premium
join:2004-05-01
| reply to erwin_mi
The forum was apparently hacked before the email was sent. Someone hacked in and got to the admin panel to send the emails. The site was shut down shortly afterward for security reasons. Several people at CastleCops.com have confirmed the file in the link contains a virus.
--
aka Suzi, Spyware Warrior
Microsoft MVP Windows Security 2005
Sunbelt Software Consultant |
|
TeMerc
join:2004-01-22
Phoenix, AZ | reply to erwin_mi
I got 3 of em this morning, in my MailWasherPro box, and I just deleted them. It seemed odd they would send me anything via email. But I didn't think to go to the site.
Hope they get things fixed up quickly. |
|
antiserious
The Future ain't what it used to be
Premium
join:2001-12-12
Scranton, PA | reply to erwin_mi
... I've been waiting 4 days for a reply from them on a login problem - I wonder how long this has been going on, and if it's related ...
--
... "Do You Know Where Your Towel Is ?" ... |
|
DSL_Steve
Premium
join:2003-11-28
Woodbury, CT | I just found three emails from *them* in my SBC-Yahoo junk email folder and promptly deleted them. |
|
boblandy
Premium
join:2002-05-06 | reply to MagnusM
so does TH currently detect this trojan
--
look out kid they keep it all hid |
|
bpm3k
join:2004-08-15
Simi Valley, CA
3 edits | I tried to download the file and I couldn't. IE rocks. However, I was successful in downloading the file useing firefox.
Here are jotti and virustotal results:
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Dropped:Trojan.Small.AL
ClamAV Found Trojan.LdPinch-34
Dr.Web Found Trojan.PWS.LDPinch.400
F-Prot Antivirus Found unknown virus (probable variant)
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-PSW.Win32.LdPinch.gen
NOD32 Found a variant of Win32/PSW.LdPinch
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan.LdPinch.27 (probable variant)
AntiVir 6.31.1.0 08.16.2005 no virus found
Avast 4.6.695.0 08.16.2005 Win32:Trojano-265
AVG 718 08.15.2005 no virus found
Avira 6.31.1.0 08.16.2005 no virus found
BitDefender 7.0 08.16.2005 Dropped:Trojan.Small.AL
CAT-QuickHeal 7.03 08.16.2005 (Suspicious) - DNAScan
ClamAV devel-20050725 08.15.2005 Trojan.LdPinch-34
DrWeb 4.32b 08.16.2005 Trojan.PWS.LDPinch.400
eTrust-Iris 7.1.194.0 08.16.2005 no virus found
eTrust-Vet 11.9.1.0 08.16.2005 no virus found
Fortinet 2.36.0.0 08.16.2005 suspicious
F-Prot 3.16c 08.16.2005 could be infected with an unknown virus
Ikarus 0.2.59.0 08.16.2005 Trojan.Win32.Small.AL
Kaspersky 4.0.2.24 08.16.2005 Trojan-PSW.Win32.LdPinch.gen
McAfee 4559 08.16.2005 PWS-LDPinch.gen.b
NOD32v2 1.1194 08.15.2005 a variant of Win32/PSW.LdPinch
Norman 5.70.10 08.16.2005 no virus found
Panda 8.02.00 08.15.2005 Trj/Ldpinch.gen
Sophos 3.96.0 08.16.2005 Troj/LdPnch-Fam
Sybari 7.5.1314 08.16.2005 Trojan-PSW.Win32.LdPinch.gen
Symantec 8.0 08.16.2005 no virus found
TheHacker 5.8.2.088 08.16.2005 no virus found
VBA32 3.10.4 08.16.2005 suspected of Trojan.LdPinch.27
Niether Ewido or A-squared detect the file when I scan it with them on demand. |
|
ReGen
join:2003-07-24
Scotland
| reply to boblandy
said by boblandy  :so does TH currently detect this trojan It does with the latest update just released. |
|
boblandy
Premium
join:2002-05-06 | thanks for the heads up, ReGen
--
look out kid they keep it all hid |
|
Atribune
join:2004-11-21
1 edit | reply to erwin_mi
peace.emfc.com is the server that Net-Integration is on. I have been updating and submitting the file to the major AV and antitrojan vendors.
Net Integration was taken down by Eagle1 after he recieved news of the emails, in an attempt to protect users who have as of yet not recieved these emails.
Eagle1 is at present working towards a solution for this. |
|
